Fix potential shift out-of-bounds in xenhcd_hub_control() ClearPortFeature handling and SetPortFeature handling. wValue may be greater than 32 which can not be used for shifting. similar patch: https://patchwork.kernel.org/patch/12162547 Signed-off-by: Zhang Shurong <zhang_shurong@xxxxxxxxxxx> --- drivers/usb/host/xen-hcd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/host/xen-hcd.c b/drivers/usb/host/xen-hcd.c index 46fdab940092..c0e7207d3857 100644 --- a/drivers/usb/host/xen-hcd.c +++ b/drivers/usb/host/xen-hcd.c @@ -456,6 +456,8 @@ static int xenhcd_hub_control(struct usb_hcd *hcd, __u16 typeReq, __u16 wValue, info->ports[wIndex - 1].c_connection = false; fallthrough; default: + if (wValue >= 32) + goto error; info->ports[wIndex - 1].status &= ~(1 << wValue); break; } @@ -527,6 +529,8 @@ static int xenhcd_hub_control(struct usb_hcd *hcd, __u16 typeReq, __u16 wValue, xenhcd_rhport_suspend(info, wIndex); break; default: + if (wValue >= 32) + goto error; if (info->ports[wIndex-1].status & USB_PORT_STAT_POWER) info->ports[wIndex-1].status |= (1 << wValue); } -- 2.41.0
